Wednesday, February 13, 2013

Java Confusion

The recent CERT (US Computer Emergency Response Team) http://whttp://www.us-cert.gov/ww.us-cert.gov/ warning not to use Java has caused immense confusion and problems with Internet users.
For example, an unaware user might disable JavaScript in his browser thereby eliminating the functionality of many interactive web applications such as the Blackboard LMS (Learning Management System.) JavaScript however is not part of the CERT warning even though JavaScript and Java Plug-ins or Applets rely on the same run time or Java Virtual Machine (JVM.) The JVM is the problem, however, but only in how it runs Plug-ins or Applets. Java Plug-ins or Applets can be disabled separately in browsers even though they use the same JVM as JavaScript.

The Security problem stems from how the version of JVM in question (7u10) allows plug ins more access to the users machine and operating systems than is advisable causing the security risk. If Java Plug-ins are disabled than none of these malware plug-ins can exploit that particular vulnerability.  Meanwhile the JVM can continue to run JavaScript without the security risk.

A later version of the JVM (7u11) issued by Oracle to fix the initial plug in problem still has potential vulnerabilities for plug ins. Plug-ins should remain disabled until Oracle comes out with the appropriate fix, presumably in JVM (7u12.)